8 minute read
Digital dilemma: How do you command a cyber cast of thousands?
This article is a follow-up to the interview featured in the autumn issue of The British Army Review and is intended to provide readers with further insight into the structure and operations of the IT Army of Ukraine. The content is based on a conversation held with a senior representative in Kyiv.
VIEWED through a conventional military prism, the effective, if unfamiliar, style of command and control being exercised by the IT Army of Ukraine – a voluntary unit comprising tens of thousands of anonymous, geographicallydispersed cyber operators – is deserving of admiring glances.
The group’s executive team, which consists of fewer than 100 individuals, has met the considerable challenges associated with mass mobilisation with distinction, overseeing a campaign of digital missions that has already inflicted “hundreds of millions, if not billions, of dollars” worth of losses on the Russian economy.
This success has come despite the IT Army being pitched into a live conflict from a standing start last February. Although the catalytic call-to-arms for hackers to take aim at Russian cyberspace originated from Mykhailo Fedorov, Ukraine’s Minister of Digital Transformation, those first to answer were given no official government blueprint to build from, had no existing doctrine to consult or tried and tested standard operating procedures to pore over.
In sharp contrast to the dearth in direction, however, was a significant mass of domestic and international hacktivists ready to commit to supporting Ukraine’s defence, and it was this initial disparity in ‘reason’ and ‘resource’ that helped to forge the operating framework that continues to deliver digital blows to Moscow.
“It definitely isn’t very hard for us to recruit numbers; the difficulty lies in managing a large group of people with different backgrounds, and quite often different motivations, to do something for the same purpose,” Jenna, an official spokesperson for the IT Army and the executive responsible for overseeing the organisation’s strategy, told the CHACR. “When you run a voluntary body, it is practically impossible to build something as logical as a classic organisation in which people can report up and down. Voluntary organisations are more democratic and people within them tend to want more space and freedom, so you have to operate under these circumstances – to give up some control but keep things moving in the same direction.
“The early response to our Telegram group accounted for around 300,000 people. It was a big thing, another means of resistance, an entirely new type of unit not seen before in the history of the world and people were curious to find out what it was and how it was going to work. Some of these people were observers rather than individuals who really wanted to actively contribute but it was clear that we needed a framework that allowed us to take advantage of this strength.
“This brought us to the idea of focusing on DDoS [distributed denial-of-service] attacks – of using brute force and leveraging our big number of supporters.”
Having identified its modus operandi, the IT Army’s executives sat together to agree and define the group’s mission, which is published on its website and is aimed at ‘bringing Ukraine’s victory’ closer by ‘depleting the economy of the aggressor country’ through the disruption of ‘important financial, infrastructure, state services and the activities of large taxpayers’.
“We understood we could be an extension of the international economic sanctions rather than cyber intruders that break into military systems, which is nearly impossible to do,” said Jenna, who stressed the IT Army is solely focused on offensive operations and does not include any defensive cyber units. “The sanctions limit Russia from moving money and making money internationally but we can cause damage internally; to take down public services, intrude in their infrastructure and look for vulnerabilities.
“It is our deep understanding that this is how we can help win this war. Surviving as a nation is not only about winning on the battlefield – defeating Russian forces and kicking them out of our land is not enough. We must exhaust the enemy, make them incapable of fighting again, intruding again and committing acts of aggression again.”
It is under this overarching mission – and its inferred rules of engagement – that the IT Army’s multiple distributed groups are granted freedom of action.
“99 per cent of all missions fall within our mission statement and we try to be careful not to hurt those who can’t protect their life or rights. We do worry about collateral damage and have never attacked any healthcare services.
“As long as progress is being made within the framework, we [the executive team] are happy and do not intervene when it comes to the selection of specific targets. If you asked me what a particular group is working on right now, I couldn’t tell you and that’s the way it works.”
The deliberate absence of a common operating picture among the community of hackers serves to protect both those conducting the attacks and the organisation courting their services. With the threat of reprisals – be they physical, digital or legal – very real, anonymity is a necessary component of the IT Army’s foundation.
“We have mitigated the risks by building an organisation that is distributed and leverages the power of small autonomous groups that have diversified functions and minimal connections to one another. In most cases we don’t need the groups to be joined up. This way, if someone who is not clean [an individual wishing to harm rather than support the IT Army’s efforts] jumps into a working group they will only gain an understanding of the kind of communications we use and the type of strategic targets we are looking at. They won’t get any information that could help them to undermine the entire group. Our structure acknowledges that it is impossible to check out everyone who offers to help.”
And refusing assistance is not something the IT Army has any intention of making a habit of, given that maintaining mass matters on the cyber front, particularly when it comes to DDoS deployments that involve hackers attempting to overwhelm a selected IT infrastructure with traffic to prevent its normal use.
While the IT Army has purposely whittled down its Telegram subscribers from an initial 300,000 to circa 160,000 as it refined its mission, the content it produces and shares is focused on retaining and building its community of active members. It is exploring an expansion of its own online presence to other official social network channels but must exercise caution in doing so given its promotion of what is –certainly outside the theatre of conflict – criminal activity.
Precisely mapping its current reach is understandably difficult given that DDoS attacks are regarded as illegal in most jurisdictions and polling members as to their location could compromise confidentiality. The feeling among the IT Army’s executive team is that the majority of their most active hackers are based in Ukraine or Ukrainians now living abroad, however, wider research suggests a much greater geographic footprint. A survey of IT students in Norway, for example, revealed that more than 10 per cent of respondents had contributed to Ukraine’s cyber campaign. Whoever it is behind the hardware, their computing skills are bringing railways to a standstill, blocking banks from doing business and cracking “small puzzles that combine to weaken Russia” and remind its population that they are not beyond the reaches of the war.
Such victories continue to be championed by Fedorov in media interviews but Ukrainian Government endorsement of – or involvement in – the IT Army’s activities rarely extend beyond praise.
“Our operations are conducted independently,” concluded Jenna. “We do not coordinate with Ukraine’s Ministry of Defence or any conventional forces. However, we are open to mission suggestions from military and intelligence services and do receive requests from time to time. This connection is built through some personalities in the group and is not an official interorganisational connection. Things do not get done by sending letters or issuing formal orders.”
What is crystal clear is that, when faced with the sort of threat that confronts Ukraine, and when supported by a multiplicity of different friends and allies, the technique of ‘franchising national defence’ to all of those who are prepared to help is a model for the future that merits more serious examination. Democratic by design, the IT Army’s light touch when it comes to command and control is, perhaps contradictorily, a product of strong leadership. The executive team’s defining of a clear mission statement is a reminder that armies – whether kinetic or armed with keyboards – need, above all else, a clear purpose to thrive and survive.
AUTHOR: Andrew Simms is editor of The British Army Review and – during a 12-year tenure working for the Ministry of Defence – reported extensively from Kosovo, Iraq and Afghanistan.